The pros and cons of eIDAS qualified

Signicat having been approved as a qualified trust service provider (QTSP) according to the EU’s eIDAS regulation (Regulation (EU) 910/2014) spurs some reflections on what it means to be “qualified” and the trust services situation in Europe.

The eIDAS regulation has four parts: General provisions, electronic identification, trust services, and electronic documents. This blog post is only about trust services; the part where the “qualified” term is defined. However, note the importance of the very short part on electronic documents. This simply states that an electronic document shall not be denied legal effect solely on the grounds that it is in electronic form. A pre-requisite for electronic trust services is of course that electronic documents are accepted. This was not obvious in all European countries before eIDAS.

As an EU regulation, eIDAS applies in all EU member states, overriding national law in case of conflict. Since eIDAS is “of EEA relevance”, eIDAS also applies to Norway, Liechtenstein and Iceland.

eIDAS then sets out a few provisions on trust services in general, and detailed provisions for qualified trust services and their providers. “Qualified” is defined as fulfilling eIDAS requirements. All defined trust services can be qualified, except signature/seal creation services (still, such services can create qualified signatures/seals). Many qualified trust services and/or their outcomes are granted legal presumptions from eIDAS, e.g. a qualified time-stamp is granted the presumption of accuracy of date and time and integrity of the data bound to the time-stamp. Furthermore, one is not allowed to ask for more than qualified; this is the top level that is guaranteed to be accepted across the entire EEA area.

This greatly expands the qualified signature term from eIDAS’ predecessor, the EU e-signature directive. But the legal presumption from the directive is continued with eIDAS, that a qualified signature shall always be considered a proper replacement for a handwritten signature; this has been valid since 1999.

Has eIDAS’ concept of qualified been a success?

It is too early to answer. Judging from the number of actors, yes; by start of December 2018 the EU list includes 168 QTSPs. Three countries have none, and a few others only list actors that must be considered as marginal players. But since services can be offered cross-border, a lack of services in a country is not necessarily a problem. Close to 30 accredited conformity assessment bodies compete for the mandatory audits that each QTSP and its services must pass.

What we do not know is the market and revenue for the QTSPs. Some of them are governmental, semi-governmental, or public-private partnerships but the majority are commercial. Here, we find banks and banking service providers, postal services, notaries, chambers of commerce, and other actors that expand existing services into the digital space – plus specialist trust service providers like Signicat. Some are niche players offering one or a few services, and some aim to cover all or most trust services, qualified or non-qualified.

Qualified, whether it is qualified signature/seal or qualified trust service, is the top level, hence, also the most expensive level. Requiring this for all purposes may not be cost-effective. Requiring a specific service or mechanism (like a qualified signature, which today must be based on PKI technology) to be used for a process may be counter-productive; the service or mechanism must fit the process flow and the needs and capabilities of the actors. Signicat’s home market is the Nordic countries. These countries are among the most digitised in the world, and they have zero (or close to zero) requirements for qualified signatures or seals. While there was no doubt that Signicat should join the club of QTSPs, our home market experience makes us cautious not to push anything qualified unless it is really needed.

The pros of qualified are that it is guaranteed to be recognised and accepted across the EU for all purposes (national security excepted) and that, in some markets, qualified may be a ticket to trade. The cons are the price level and the potential lack of fit between the process at hand and qualified services/mechanisms. For non-qualified, the actors involved must agree what is sufficient for the process, which requires judgement but may lead to cost savings and smoother processes. A non-qualified trust service may well be recognised across the EU; the market decides but the recognition is not guaranteed.

Regarding qualified signatures, the idea of defining a signature level that can always be used to replace a handwritten signature, no questions asked, is a good idea. This fences off threats against digitisation from arguments that no digital mechanism is good enough. But unfortunately, in too many cases this idea is turned upside down by stating that qualified signature is the only mechanism that can replace a handwritten signature. One even sees the term “legally binding signature” used as a synonym for “qualified electronic signature”.

However, eIDAS is crystal clear in stating that:

“An electronic signature shall not be denied legal effect and admissibility as evidence in legal proceedings solely on the grounds that it is in an electronic form or that it does not meet the requirements for qualified electronic signatures.”

So, all electronic signatures are legally binding and can replace handwritten signatures, except in the presence of additional requirements that pose specific restrictions. Such extra requirements, e.g. requiring qualified signature for a purpose, can be found in national laws and regulations, in EU legislation (in practice seldom seen), in sectorial rule sets and best practices, or imposed by the involved actors themselves.

Qualified signatures have until now in too many cases been hampered by poor user experience. Hopefully, server-based signing services will both lower cost and do away with much of the user friction.

Based on these arguments, Signicat recommends use of an advanced or qualified signature only when at least one of the following holds true:

There is a legal requirement, typically from national legislation.

A risk analysis shows the need for a particular level of signature.

The mechanism (advanced/qualified) is a good fit for the process at hand.

Then, one can argue that the starting point, finding a substitute for a handwritten signature, can be challenged, as the result may be a digital process that mimics the paper process. While a handwritten signature is the only way to prove consent on paper, a digital consent can be obtained by a plethora of mechanisms that do not have to mimic paper signing. But that is a topic for a future blog entry.